Symantec Access Management

Requirement is to do a kerberos login when user is on network and domain joined machine and fallback to form based authentication otherwise.

We are able to achieve the kerberos login without any issues and in case of fallback we are getting windows pop-up which we want to remove , Any help is appreciated.

Below is the snippet of code:

try{

String auth = request.getHeader("Authorization");
if (auth == null){

response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NEGOTIATE");
response.flushBuffer();
//return;
}
if (auth != null && auth.startsWith("Negotiate")){
redirectURL = kerberosRedirectURL;
}
else {
if (orginalTarget != null) {
orginalTarget = orginalTarget.replaceAll("-SM-", "");
orginalTarget = orginalTarget.replaceAll("--", "-");

formProtectURL = formProtectURL + "?&ORIGINALTARGET=" + orginalTarget;
redirectURL = formProtectURL;
}

}

You can stay "in listen" using (if any) loadbalancer and handle at the beginning the request. Based on IP, Domain or other machine/session info you can send user/request to a resource protected by kerberos or instead send through a standard auth schema (form).

Cheers

Pasquale

Pasquale_Russo,

I am starting Kerberos authentication for O365 and fall back to form based authentication from scratch. Is there any document that you could help with. I have very little to none knowledge in coding. Please let me know, if you could assist with any samples.

And I have a similar use case as the original poster of this thread.

I created an Ajax page to handle that. In this case, even if there is an error the popup will not show and user is redirected to a specific page:

Thank you Wellington,

But from the code, i see that it uses only Kerberos. If the user is logging in from external network, then it doesn't know how to redirect to form based.

scenario here is to redirect to form based authentication if the user is logging in from external network. if he is in internal network, the user will be authenticated using kerberos, And i am using CA Access Gateway to do the proxy and redirect.

any help is much appreciated.

BR, 

Joseph

Thank you wadami

Can you please let me know the implementation of it ? Should we include this page in auth scheme and once application is accessed than it can redirect to this page which redirect to creds.kcc and if authentication fails than redirect to form based login.

Will this work for chrome and IE both? I will try this today and see if it works.

Thanks,

Kanishak

Here is the problem:

it redirects to the context protected by default Kerberos auth scheme but it did not redirects to that auth scheme of creds.kcc and just fallsback to form based.

When i try to access that context protected with kerberos directly it works fine and redirects to creds.kcc. So in this case i am always getting redirected to form based login.

Thanks,
Kanishak

Issue might be coming as context protected by Kerberos auth scheme is xmlhttp type and does not redirect to creds.kcc? Have you tested it?

Kanishak1

Just out of curiosity,

• what version of CA SSO are you currently on ?
• is this work still in development stage ?

The reason I ask this is because, it is good we are trying to get this to work. I built a custom solution for Kerberos failover to forms for a customer. We then stalled the entire custom work because Kerberos failover to forms is likely to be released in next version of CA SSO. I do not intend to promise (nor reveal) as Product Management would be in a better position to confirm on when and which version of CA SSO will have this OOB. So if I were in your shoe's; I'd check this via CA Account Manager to get a timeline from Product Management. Just trying to save you custom work, if you are still in development phases. Yes there'll be an upgrade involved for sure. So we just need to weigh in all factors.

Regards

Hubert

We are on 12.7.02 and we have work extensively with CA services and CA support to make our IWA fallback to form work and that is also not working OOB , we have CA case running for months. Prior to it we had custom solution for Kerberos fallback to form which works in most of our flows but at times it gives windows prompt so i am thinking to go back to that solution if we can solve windows prompt with custom solution.

Thanks,

Kanishak

Thank You Kanishak1 for the inputs. Could you message me the case# in a private message via communities messaging. Would like to have a read on the case, at-least be knowledgeable about it as to the anomaly.

I am not sure how to send private message , Please send me your email id , i can send you case number on it.

Thanks,

Kanishak

@Hubert,

We have CA SSO 12.8 and we are trying to achieve the same thing as @Kanishak. Any input from your end also will help us a lot.

And how to send a private message through communities?

Kanishak1

Add the case# here. It is OK. 

jschristiein

The way I achieved Kerb fall back to forms was using a completely different path.

I used something we already have as a starting point. This was proven for IWA. I used it for Kerberos.
https://communities.ca.com/docs/DOC-231151411  
https://communities.ca.com/servlet/JiveServlet/download/2031-99216727-99217046-47762/winforms+select+auth+1.2.zip  

First Step : Forget everything else and get a basic OOB Kerberos authentication scheme working. If a simple OOB Kerberos Authentication Scheme isn't working, don't even attempt customization.

Second Step : I followed the documentation with “winforms+select+auth+1.2.zip”. However instead of using an IWA Auth Scheme I used Kerberos Authentication Scheme. Screen Shot below. Our Kerberos Auth Scheme (WAM UI) content rendering does not effectively handle the Custom Target login page. I can create a new Kerb Auth with login page target as ASP. But when I save and then try to view it keeps reverting to /kerb.kcc (seems like the current Kerb Auth Scheme is hardcoded in UI to use kerb.kcc). But as long as we are aware / knowledgeable, I can deal with it and made Customer aware how to work with it. At the end of the WAM UI representations plays a very minor role, the bigger picture is what is present within the policy store. Another thing we have identified is if a Customer ENV uses CA SSO IWA and the decides to move to Kerberos, we have to turn off CA SSO IWA and then enable CA SSO Kerberos. If we opened a browser, accessed IWA protected resource and on the same browser access Kerberos protected resource, it goes into an indefinite loop. Something from IWA (NTLMCreds etc) does not gel well with Kerberos. Am assuming it is the FCCCompatMode setting, but never had the time to investigate that as we agreed to turn off IWA. We won't have both (IWA and Kerb) enabled at the same time.

XPSExplorer (Actual's)

We tested this for single factor logins and it works like a charm. We were in the process of testing Federation and OIDC usecases when we stalled this custom solution, as we received confirmation of Kerberos FO to Forms will be delivered soon.

Lastly don't hold me to this statement "Kerberos Failover to Forms will be available in R12.8 SP2" - This is the statement my Customer received. Current anticipated arrival date for R12.8 SP2 is Dec 2018. You could re-verify this via your CA Account Manager. 

It gets redirected to context protected by kerberos default but i do not see any redirection to creds.kcc(its authentication scheme) and directly it goes to fallback.

But if i access that context directly in browser it works fine, so what i am assuming is that from script it is making that context xmlhttp type of request and SSOdoes not know what to do with it.

have you tried this set up? Does it work?

Thanks,

Kanishak

Hi,

It works fine if i remove the cookie provider URL , Cookie provider URL is in different domain and w eneed to have cookie provider URL , Any thoughts on how to achieve with cookie provider?

Thanks,

Kanishak

I would not recommend having a Cookie Provider domain different from a login domain (that causes too many redirections). Try to see if you keep Cookie Provider Agent and Login Agent (doing kerberos authentication) the same. Just a thought.

Yes we have to support legacy and new platform but we will eventually have cookie provider and login domain same.

Redirections are fine for now but above script does not work if we have cookie provider enabled , not sure we are hitting CORS.

Thanks,

Kanishak

Any suggestion if i am using cookie provider in other domain than the AJAX script being hosted , i see it fails as it never redirects to creds.kcc URL but if i disable cookie provider it works fine.

Please let me know if any suggestion to make it work with cookie provider.

Thanks,

Kanishak

I was able to make it work if i use same domain cookie provider , But when it falling back to form login it is losing the original target , can you let me know what you did in script to redirect to original target?

Thanks,

Kanishak

wadami Can you please see how we can persist the target in case of fallback to form , we have to redirect the user to originating application.

Thanks,

Kanishak

wadami I was able to fix the issue and fallback with form based login is working fine , but e have to protect the fallback with custom authentication scheme where it goes through MFA process , here i am getting smauthreason=27 in the riskeval URL.

HubertDennis - Can you also see and help on above issue.

Thanks,

Kanishak

wadami HubertDennis - Please ignore i am able to solve it.

I will test password policies with Kerberos and see their behavior.

Thanks,

Kanishak

Hi ,

I have issue with different user states where if user is locked meaning disabled flag is 2 it redirects to password service URL and smauthreason is 24 , it is 200 on that URL and i can see content as well  which ideally should load that page but it goes into infinite loop , if i access that password service URL directly on the browser it loads that page.

Can you please see if you are able to replicate this issue.

Thanks

wadami HubertDennis 

The solution that we implemented works , but i have issue with different user states like disable flag =2 , 8 (locked , expired and disabled) where after creds.kcc , password service URL kicks in which is 200 status code but as our window.location is target it keeps looping , I tried disabling password service in authentication scheme but than default password service URL kicks in and it keeps looping. We are using AD as user store but when disable flag is 2 , 8 useraccount control is 512 only .

I tried fetch which has limitation of IE11 and looking to use axios by which i can fectch password service an dcompare with it and have window.location to fallback otherwise to target but i am not succesfull yet.

Can you please see how we can achieve it and see what we can modify in the script. If we can solve this than i think this will be better solution to achieve functionality.

Looking forward for some inputs.

Thanks.

wadami yes that is correct which is what i am trying but not able to do , can you please help with it.

Thanks,

Kanishak

Kanishak1

Could you please contact me on jschristiein@gmail.com.

Here is the final solution that i implemented and is working for all different user states/disable flag values:

Problem statement : To have Kerberos based authentication for on domain and on network and fallback to form otherwise. We were getting windows pop-up in case of failover and we wanted to get rid of it.

Solution : Below is the script being used on access gateway server:

<html>

<head>

<meta http-equiv="X-UA-Compatible" content="IE=edge">

<script src="jquery-3.3.1.min.js"></script>

<script>

$(document).ready(function(){

        $.ajax({

        type: 'GET',

        xhrFields: {

                'withCredentials': true

        },

        crossDomain: true,

        url: '',  // Dummy URl protected with kerberos authentication scheme

        cache: false,

        success: function () {

                function getUrlParameter(name) {

                        name = name.replace(/[\[]/, '\\[').replace(/[\]]/, '\\]');

                        var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');

                        var results = regex.exec(location.search);

                        return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' ').replace('-SM-','').replace('$SM$',''));

                };

                var target = getUrlParameter('TARGET');

                console.log("Sucesso!");

                window.location = target;

        },

        error: function(XMLHttpRequest, textStatus, errorThrown) {

                function getUrlParameter(name) {

                        name = name.replace(/[\[]/, '\\[').replace(/[\]]/, '\\]');

                        var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');

                        var results = regex.exec(location.search);

                        return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' ').replace('-SM-','').replace('$SM$',''));

                };

                var target = getUrlParameter('TARGET');

                target = target.replace(/^https?:\/\/[^\/]+/g,"");

                console.log("some error " + textStatus + " " + errorThrown);

                console.log(XMLHttpRequest);

                window.location = "domain/fallback.jsp?TARGET=" + target;        // Fallback URL protected with form based authentication scheme

        },

        async: false

    });

});

</script>

</head>

<h1>Redirecting to app...</h1>

</body>

</html>

Fallback.jsp is protected with MFA authentication scheme.

To handle different disable flag values like - 2 , 8 , 1 etc disabled password policy on Kerberos authentication scheme but than it was triggering siteminder default password service with smauthreason 7 so we removed the password service itself(renamed smpw.fcc) so that it gives 500 and it goes to error condition in above script which will make it fallback to form.

We have our custom password service URL for form based authentication so there was no need to have default one which also help resolve the above use case.

We have issues with OOB solution with different user states and that needs additional windows server and also uses NTLM based authentication so this solution works and can be considered as potential one.

Thanks wadami for all your help.

I am trying to implement a similar solution but i have NTLMv2 instead of kerberos, can this script be extrapolated in case of NTLM  , i  am trying to use this solution as i can deploy this easliy on my SPS server .